Articles about security – will be highlighted on the security page.

Dealing with the latest security threats

There has been a lot of attention in the media recently following the OpenSSL Heartbleed vulnerability. While Safe4 was never affected by this problem we have recently reviewed our security settings covering the security of the connection between your computer and our servers.

The SSL protocol which is used to encrypt the communication between a client computer and a server when a site specifies HTTPS has evolved over the past years, with 5 recent versions – SSL2.0, SSL3.0, TLS1.0, TLS1.1 and TLS1.2. Obviously the newer protocols are more secure than the earlier ones.

At our last review we took the decision to disable the SSL2.0 and SSL3.0 protocols. It was originally thought that this would only impact users of IE6 on Windows XP (Safe4 does not see this combination in our user base) but it also appears to affect IE8 on Windows XP since Internet Explorer relies on the operating system to secure the communication.

Safe4 would recommend upgrading from Windows XP at the earliest opportunity.  However this may not be an immediately available option, in which case Safe4 would recommend the use of an alternative browser such as Google Chrome which supports these latest security protocols and will help to keep your information secure.

Importantly Microsoft has discontinued support for Windows XP as of 8th April 2014 – see http://www.microsoft.com/windows/en-gb/xp/end-of-xp-support.aspx. Critically this means that Microsoft will not be issuing any further security patches or software updates – which means your PC and the information on it may become vulnerable in the future.

Dealing with Heartbleed

I am sure that everyone is aware of the news regarding the HeartBleed bug that has been discovered in some web sites. As usual the BBC has a well balanced report on the background – see http://www.bbc.co.uk/news/technology-26954540.

Happily I am very pleased to advise that the Safe4 service was not affected by this security bug as we do not and have never used the software, OpenSSL, to secure and encrypt the communication between your computers and Safe4.

In an environment where web attacks are increasingly common, there are a few things that made this problem so significant to propel it to headline news.

  • Principally it enabled access to the server’s private security / encryption keys. These keys are used to decrypt transmitted information. Once an attacker has these keys it is possible for them to decrypt all traffic that used those keys both for historically intercepted traffic and, until the keys have been changed, future traffic as well.
  • Many attacks leave a clear trace that the attack has taken place – in this specific case there is no means to detect that the attack has happened – therefore it is not possible for sites to detect if they have been the subject of an attack. Best practice therefore is to assume that sites using the affected versions of the software have been compromised.

These things combined have led to the advice for users to change their passwords in use on the internet. This is clearly a daunting task since if you follow best practice advice, which I would wholeheartedly endorse, then you probably have many tens of passwords to change. I would encourage you to consider using tools like 1Password,https://agilebits.com/onepassword‎, which help you to use much more secure passwords and manage and keep track of them securely.

Safe-4 is obviously built from the ground up around security of your information. We are proud that you trust your sensitive information to us. Although not affected by this bug we have, probably like many companies today, reviewed our system configurations and run some further tests to ensure we remain secure. As a result of the review we took the decision today to disable some outdated routines which were only used by older browsers. Independent testing has given us a clean bill of health.

How secure are your Email transmissions?

Email has become, over the last two decades, the accepted means by which communication between businesses takes place.  We all use it every day, perhaps without thinking in many cases.  But is it the right way to send confidential or secure information?  And how do we control what happens when it gets to the recipient’s inbox?  Will our confidential information be forwarded in error, deleted, misfiled, or simply ignored?

This raises some important questions:

  • Do we trust email for the transfer of confidential information?  In this age of spamming, phishing, banking scams, and sundry other criminal activities based on email, are we happy to entrust private, mission-critical information to this medium?
  • Even if we were to find a completely secure, encrypted email transmission and receipt service that everybody we might want to communicate with was happy to use, are we still sure that attachments are handled correctly at the other end?
  • And what if you are travelling, and can’t get access to your desktop email client with encryption keys, does everything stop and wait for you?

At Safe4, we believe that there is a better way of achieving complete security of information transfer.  With the Information Commissioner announcing fines of up to £500,000 for breaches of information security, this is not a good time to ignore this issue.

The UK’s legal professional makes use of insecure email constantly.  Most legal professionals instinctively use email to send highly confidential information as attachments.  Perhaps better alternatives can now be considered?